[Pam-ssh-users] [patch] support for "standalone" session module
Brought to you by:
rosenauer
Menu
▾
▴
[Pam-ssh-users] [patch] support for "standalone" session module
|
From: buc <bu...@od...> - 2004-10-19 10:54:42
|
Hi,
Currently, it is impossible to use "session" module without "auth"
module, because "auth" stores "getpwnam()" results and later "session"
use this stored data instead of own getpwnam() call.
Theoretically, standalone "session" may be useful if you want to just
invoke one instance of ssh-agent (from several console logins), and add
them keys later.
Another example is my own case.
I am using self-patched version of RedHat`s pam_console, which allows
me to login with a password *once" (either console or gdm). Additional
logins don`t require password.
I use pam config like this:
auth required pam_securetty.so
auth sufficient pam_console.so
auth required pam_stack.so service=system-auth
auth optional pam_ssh.so try_first_pass
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so
session optional pam_ssh.so
For the first console login, "pam_console" failed, then standard
"system-auth" are used and later "pam_ssh". For the next logins,
pam_console does success, therefore pam_ssh "auth" module is not
invoked, getpwnam() results are not stored, and pam_ssh "session" failed
because of this.
I have made a patch to resolve this problem (see below).
IMHO, the cost of additional getpwnam() calls is minimal -- either it
is access to local /etc/passwd, or nscd caching daemon is running (:-))
for nisplus or ldap etc.
--
Dmitry Butskoj <dm...@bu...>
Saint-Petersburg, Russia
Red Hat Certified Engineer 809003662809495
diff -Nrbu pam_ssh-1.91/pam_ssh.c pam_ssh-1.91-OK/pam_ssh.c
--- pam_ssh-1.91/pam_ssh.c 2004-04-12 17:55:08.000000000 +0400
+++ pam_ssh-1.91-OK/pam_ssh.c 2004-10-04 18:45:43.000000000 +0400
@@ -350,7 +350,6 @@
#endif
const char *pass; /* passphrase */
const struct passwd *pwent; /* user's passwd entry */
- struct passwd *pwent_keep; /* our own copy */
int retval; /* from calls */
const char *user; /* username */
@@ -461,22 +460,6 @@
return PAM_AUTH_ERR;
}
- /* copy the passwd entry (in case successive calls are made) and
- save it for the session phase */
-
- if (!(pwent_keep = malloc(sizeof *pwent))) {
- pam_ssh_log(LOG_CRIT, "out of memory");
- openpam_restore_cred(pamh);
- return PAM_SERVICE_ERR;
- }
- memcpy(pwent_keep, pwent, sizeof *pwent_keep);
- if ((retval = pam_set_data(pamh, "ssh_passwd_entry", pwent_keep,
- ssh_cleanup)) != PAM_SUCCESS) {
- free(pwent_keep);
- openpam_restore_cred(pamh);
- return retval;
- }
-
openpam_restore_cred(pamh);
return PAM_SUCCESS;
}
@@ -515,14 +498,16 @@
int start_agent; /* start agent? */
const char *tty_raw; /* raw tty or display name */
char *tty_nodir; /* tty without / chars */
+ const char *user; /* username */
log_init(MODULE_NAME, SYSLOG_LEVEL_ERROR, SYSLOG_FACILITY_AUTHPRIV, 0);
/* dump output of ssh-agent in ~/.ssh */
- if ((retval = pam_get_data(pamh, "ssh_passwd_entry",
- (const void **)(void *)&pwent))
- != PAM_SUCCESS)
+ if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS)
return retval;
+ if (!(user && (pwent = getpwnam(user)) && pwent->pw_dir &&
+ *pwent->pw_dir))
+ return PAM_SESSION_ERR;
retval = openpam_borrow_cred(pamh, pwent);
if (retval != PAM_SUCCESS && retval != PAM_PERM_DENIED) {
@@ -842,10 +827,13 @@
const char *ssh_agent_pid; /* ssh-agent pid string */
const struct passwd *pwent; /* user's passwd entry */
struct stat sb; /* to check st_nlink */
+ const char *user; /* username */
- if ((retval = pam_get_data(pamh, "ssh_passwd_entry",
- (const void **)(void *)&pwent)) != PAM_SUCCESS)
+ if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS)
return retval;
+ if (!(user && (pwent = getpwnam(user)) && pwent->pw_dir &&
+ *pwent->pw_dir))
+ return PAM_SESSION_ERR;
retval = openpam_borrow_cred(pamh, pwent);
if (retval != PAM_SUCCESS && retval != PAM_PERM_DENIED) {
|
